Users of the instant messaging application ICQ are urged to upgrade to the latest version of the software because of a potentially damaging bug in older versions, according to a notice on the ICQ Web site.
A bug has been found in the ICQ Voice Video & Games feature for versions earlier than 2001b, according to the notice. ICQ 2001b was released on Oct. 31 last year. Over 100 million people worldwide are registered as ICQ users, according to the ICQ Web site.
ICQ is owned by America Online Time Warner Inc. (AOL), which earlier this month had to patch a hole in its other instant messaging product, AOL Instant Messenger (AIM). The hole in ICQ is very similar, according to Daniel Tan, a University of Pennsylvania student who first reported the vulnerability in a posting to the Bugtraq mailing list.
Both ICQ and AIM are flawed in the way they handle a certain data packet, causing a buffer overflow and potentially allowing an attacker to run arbitrary code on a user's computer, Tan wrote. Details on how to exploit the vulnerability were not published because Tan wanted to give AOL time to fix its software, according to his posting.
Users can check if their version of AIM is vulnerable by clicking on any username in the ICQ contact list and looking for the Voice Video & Games options. ICQ is vulnerable if the options are available, according to the notice on the ICQ Web site.